A hacker injected a payload in an npm package to steal bitcoins

So someone managed to sneak in a malicious payload into a widely use JS library.

The payload is delivered in three stages, but basically it checks if copay (a bitcoin web/cordova app) exist as npm dependency and then inject a payload that would monkey-patch some function in the target app to send bitcoins private keys to remote server.